Re: (ITS#9123) Unauthenticated remote denial-of-service - openldap-bugs

28 Nov 2019


      Resending with the non-printable chars omitted:
Howard Chu wrote:
...
Thanks, but your trace clearly shows that this is a fault in Cyrus SASL, you should be reporting
this issue to them.
valgrind confirms it as well:
5ddfddde do_bind: dn () SASL mech <garbage>
5ddfddde ==> sasl_bind: dn="" mech=<garbage>
datalen=0
==11019== Thread 3:
==11019== Invalid write of size 1
==11019==    at 0x4B9B1DB: sasl_seterror (seterror.c:247)
==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
==11019==    by 0x21E130: fe_op_bind (bind.c:279)
==11019==    by 0x21DCE1: do_bind (bind.c:205)
==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
==11019==    by 0x4EFA322: clone (clone.S:95)
==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
==11019==    by 0x21E130: fe_op_bind (bind.c:279)
==11019==    by 0x21DCE1: do_bind (bind.c:205)
==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
==11019==
==11019== Invalid read of size 1
==11019==    at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==11019==    by 0x4E53DE4: __vfprintf_internal (vfprintf-internal.c:1688)
==11019==    by 0x4E67029: __vsnprintf_internal (vsnprintf.c:114)
==11019==    by 0x3A1FFA: lutil_debug (debug.c:74)
==11019==    by 0x266FF3: slap_sasl_log (sasl.c:146)
==11019==    by 0x4B9B4CF: sasl_seterror (seterror.c:260)
==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
==11019==    by 0x21E130: fe_op_bind (bind.c:279)
==11019==    by 0x21DCE1: do_bind (bind.c:205)
==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
==11019==    by 0x21E130: fe_op_bind (bind.c:279)
==11019==    by 0x21DCE1: do_bind (bind.c:205)
==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/